Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd4428c4788e588e…

MALICIOUS

PDF

67.4 KB Created: 2010-06-29 10:14:47 +08:00 Authoring application: Acrobat 编辑器 8.0 (via Adobe Acrobat 8.0)
MD5: a635ba4778352a9ad012414bd31b35e7 SHA-1: af202374b07a4c4d5932e0a3bd5a54f6e694fb5e SHA-256: fd4428c4788e588ee783eb88c5008b7ff162efd6ee1a4be5d7b1c57248e57106
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript that exploits CVE-2009-4324, specifically targeting the media.newPlayer API. The JavaScript is obfuscated but static analysis indicates it decodes and executes further stages. This exploit is commonly used to download and run additional malicious payloads, making it a likely initial access vector for further compromise.

Heuristics 7

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0021_000.js
dd957791cf3ea91d9aa5ef655b3a1d6c4a92036e875c2437657f276955dab674		 pdf-javascript-stream PDF /JS object 21 at offset 0x514 2371 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s). Carved artifact contains 1 long hex-escaped blob(s).
stream_009_off0000cc74.bin
9d7e19ac218e6f8728365073f89e3d1f12b424f876a74ba4ef022cb2a54a74ce		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCC74 341 bytes
legacy_pdfkit_stage_000.js
42c3f4df375ff6f58ff655cc4f88b5cc28f0dd33b978390db3538684a6219b74		 deobfuscated-js string-concatenation normalized Acrobat API aliases at offset 0x514 126 bytes
polyglot_child_pdf_off0000b506.pdf
b2dbf1b70f29b41da569667ecb933901cca9d7cf6129dc94ac8dfe455737ff8f		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xB506 22634 bytes
polyglot_child_pdf_off0000f583.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xF583 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.